RpcSs killing processes in Windows 2000

For the last two days I've been struggling with a particularly irritating computer problem. I was called on Monday morning to say a Windows 2000 machine had a virus. An initial glance suggested spyware was killing processes: Explorer worked fine, but anything else - task manager included - was shut down immediately. This is pretty standard stuff for spyware, and I didn't anticipate much trouble. Sadly, I was wrong.

I deleted an obvious 'Windows Antispyware 2008' to no effect, and virus / anti-spyware scans revealed nothing. I shut down all the non-essential services I could find, and even ran a quick scan for rootkits, but couldn't find anything.

The problem was also there in Safe Mode, but not, I discovered by total chance, in Safe Mode with Networking. That was weird. The latter *should* just be the former + a network driver. This seemed consistent, then it happened once in SFw/N, and I started to think it might be hardware.

Admittedly it all felt a bit specific for that - you'd think hardware would kill everything, not just certain programs - but it could be to do with power draw. Plus, PSU problems have been known to have very weird symptoms. But a test PSU made no difference, the RAM checked out fine, and the (8-year-old) hard drive passed its fitness test. I thought I was onto something when I spotted the cpu fan slowing down and stopping in everything but SFw/N, but this was a red herring¹.

I eventually tracked it down by comparing the running processes in Safe Mode and Safe Mode w/ Networking (by repeatedly opening task manager and writing down names before it got nuked). The former, bizarrely, had an extra svchost.exe running. svchost.exe is a generic holder for background programs, and I needed more details. This is easy enough in XP, but in Windows 2000 you need the tlist support tool. The process turned out to be RpcSs: Remote Procedure Call. This was a new one on me, but it essentially controls background communications between programs. Disabling it solved the problem, but created a thousand more.

Turns out, RpcSS is vital. And here's where I got stuck. I just couldn't find any elegant ways to fix it. RpcSS is too low-level and important, and can't simply be reinstalled. Eventually I went with the old-school Magic Fix: the repair install. This just installs Windows over the top of itself, and while it's often equivalent to using a sledgehammer to crack a wotsit, it generally solves the problem. Not this time. Windows died, and wouldn't come back. In the end I was forced to reinstall from scratch, which is always the last resort².

That's really irritating. Usually, the hard part is diagnosing the problem. Once I know what's going wrong, it's just a matter of research and thinking it through. It's rare that I can know what's wrong but be unable to do anything about it. My best guess is the initial spyware somehow took out RpcSS. Windows 2000 is a bit old-and-busted now, and I'm hoping XP is better secured against such things.

I'm mainly blogging this for googlers facing similar issues. I couldn't find any references to problems manifesting in Safe Mode but not Safe Mode with Networking. Very odd one.

1. the motherboard was actually slowing down the processor so it could disable the fan and keep things quiet. I turned this off. [↩]
2. Also I'd forgotten Windows 2000 comes with IE5.0. Ugh. [↩]